That is not a valid excuse.
Nowadays SSL certificates are not that expensive (ranges from $30 to $150).
But since we already know that CA system is broken (Comodo, DigiNotar hack), even self signed certificate with published fingerprint (e.g. on the website) would be much better than using HTTP. Those who want to use HTTPS can compare fingerprints and add an exception in the browser.
Alongside HTTPS we can also have HTTP available forum for those that don't think that is an issue.
BTW, looks like kohanaframework.org is registered with Gandi.net. Maybe they are willing to donate certificate for the open source project. It's not sin to ask.